Analysis Summary

Cybersecurity Researchers has uncovered a new wave of malicious npm packages linked to the Contagious Interview operation, attributed to North Korean threat actors. The attackers published 35 malicious packages using 24 different npm accounts, with over 4,000 downloads so far. Some impacted modules include popular libraries such as “react-plaid-sdk,” “sumsub-node-websdk,” “vite-plugin-next-refresh,” and “node-orm-mongoose.” Six of these packages remain live on npm.

Each infected package contains a covert loader named HexEval, which is installed silently during execution. HexEval collects system information and fetches additional malware, primarily BeaverTail, a JavaScript-based stealer. BeaverTail then deploys InvisibleFerret, a Python-based backdoor granting remote access and enabling data exfiltration from compromised devices.

Researchers noted that the multi-layered structure of these malicious tools is designed to bypass traditional security controls such as static analysis and manual code reviews. Additionally, one attacker account distributed a cross-platform keylogger, expanding their data theft capabilities.

The Contagious Interview campaign was first revealed by Palo Alto Networks’ Unit 42 in late 2023, targeting developers to steal cryptocurrency and sensitive data. The threat actors behind this campaign are tracked under aliases including CL-STA-0240, DeceptiveDevelopment, DEVPOPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

More recently, attackers have used a ClickFake Interview social engineering tactic, where fake recruiters approach victims via LinkedIn, offering enticing job opportunities and sharing “technical assessments” containing infected npm packages hosted on GitHub or Bitbucket. Victims, often running these projects in default environments without proper containerization, inadvertently facilitate the compromise.

Researchers warns that these North Korean cyber actors are increasingly targeting software supply chains by embedding malware in open-source libraries and exploiting the trust developers place in recruiters. This approach allows them to effectively bypass traditional organizational security perimeters and directly compromise developer systems.

Impact

• Unauthorized Remote Access
• Sensitive Information Exposure
• Credentials Theft
• Malware Execution

Indicators of Compromise

SHA1

• b92e65289ab5eea664a5d3d0ac744bd0a005ce25

• 11426f813fda3139d6ecf00c0fc5241bcbb84604

• 4c1e4a123bd2126e770c2038d3db7a10696c6439

URL

• https://bitbucket.org/notion-dex/ultrax
• https://bitbucket.org/zoro-workspace/
• https://log-server-lovat.vercel.app/api/ipcheck/703
• https://ip-check-server.vercel.app/api/ip-check/208
• https://ip-check-api.vercel.app/api/ipcheck/703

Remediation

• Remove and uninstall all identified malicious npm packages to stop active infections
• Update all dependencies to trusted, verified versions to eliminate compromised modules
• Conduct a full security scan on developer systems to detect residual malware components
• Rotate all potentially exposed credentials and API keys to prevent unauthorized access
• Review npm accounts and revoke access for unrecognized or suspicious contributors
• Implement strict package review and approval policies before using third-party libraries
• Use containerization or isolated environments for running untrusted code to limit impact
• Educate developers on social engineering risks from fake recruiters and job offers
• Monitor network traffic for unusual connections indicating backdoor communications
• Enable endpoint detection and response (EDR) solutions for real-time threat visibility
• Subscribe to security advisories for timely awareness of supply chain threats
• Enforce multi-factor authentication on npm and code repository accounts to enhance security
• Audit recent commits and deployments for injected malicious code or unauthorized changes
• Apply the principle of least privilege for developer environments to limit attacker reach
• Regularly back up critical project data to ensure recovery if systems are compromised